Manage your passwords with pass

Posted by Fabrice on Monday, April 22, 2019 Updated on Saturday, February 24, 2024 Translation: fr

As security breaches are discovered regularly, and so leakage happens, it is recommended to have a different password on each account. However, this task is obviously a pain to maintain by hand. I did use a notebook back in 2003, which I lost within a month, given that I'm a very organized person.

Hopefully, many password managers exist, with similar features: cross-platform (especially smartphone support), password generation, browser integration…

I'm not here to compare them, if you want to give a look, Wikipedia provides a nice comparison table there.

However, thanks to moviuro, my choice is pass along with pass-otp (and passmenu). I don't intend either to make a comprehensive guide, as those already populate the internet, for example here.

To make it short, pass is a bash scripts using git, gpg written by zx2c4.

Here are just some commands I often use.

pass generate -i <pass-name>

To regenerate a password, the -i is important to avoid overwriting the whole file and having to rely on dirty git to withdraw your mistake (pass <cmd> will automatically commit your change)… I sometimes forget it, so let's put it here as a reminder.

Sometimes it can be useful to specify the accepted special chars, this can be done using the PASSWORD_STORE_CHARACTER_SET environment variable. This value is interpreted by the tr command, hence to create a PIN, you can use the following value: PASSWORD_STORE_CHARACTER_SET='[:digit:]', then specify the length with the last argument.

For instance, to generate a 6 digit PIN:

PASSWORD_STORE_CHARACTER_SET='[:digit:]' pass generate <pass-name> 6

I didn’t manage to specify how to have at least one of them, so I run the command multiple times (with the -i option to change the file in place after the first one)… It pollutes a bit the git history but, well… it works.

For instance, for a service supporting only the following characters: -_@$<> of at most 20 char long (fictive example), you can use the following command:

PASSWORD_STORE_CHARACTER_SET='[:alnum:]-_@$<>' pass generate <pass-name> 20

If for some reasons you want to rotate your keys, you can rerun the pass init command by indicating the new gpg ID (or multiple keys to have it available under multiple devices that don’t share the same key to limit the risks of key leakage). Note that you can also have a subfolder encrypted under a specific key (it can be specified using the -p/--path= option for pass init) if you want to share it to some other devices, or to separate work from personal passwords. It should be possible to use git submodule as well, but I didn’t try.

To finish:

pass git <whatever you want>

To do whatever you want with git, especially dirty git 😉

And finally, I'm using password-store on my android phone.

tags: pass, git, cli